CUSTOM signing
29 views
Skip to first unread message
Julian Weiß
May 29, 2026, 2:55:19 AM (7 days ago) May 29
to swupdate
Hi there,
the custom signing implementation of the meta-swupdate-layer should provide a way to also receive the sw_desc_sig and sw_desc parameters via command line. Especiallay since the value of sw_desc includes a case distinction.
You can find the code in swupdate-common.bbclass:prepare_sw_description.
Kind regards
Stefano Babic
May 29, 2026, 5:58:12 AM (7 days ago) May 29
to Julian Weiß, swupdate
Hi Julian,
On 5/29/26 08:54, Julian Weiß wrote:
> Hi there,
>
> the custom signing implementation of the meta-swupdate-layer should
> provide a way to also receive the sw_desc_sig and sw_desc parameters via
> command line. Especiallay since the value of sw_desc includes a case
> distinction.
>
I added this as feature request to the documentation, see
https://github.com/sbabic/swupdate/blob/master/doc/source/improvement_proposals.rst#enhance-custom-signing
Best regards,
Stefano Babic
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
On 5/29/26 08:54, Julian Weiß wrote:
> Hi there,
>
> the custom signing implementation of the meta-swupdate-layer should
> provide a way to also receive the sw_desc_sig and sw_desc parameters via
> command line. Especiallay since the value of sw_desc includes a case
> distinction.
>
https://github.com/sbabic/swupdate/blob/master/doc/source/improvement_proposals.rst#enhance-custom-signing
Best regards,
Stefano Babic
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
Stefano Babic
May 29, 2026, 11:11:30 AM (7 days ago) May 29
to Julian Weiß, swupdate
Hi Julian,
On 5/29/26 13:45, Julian Weiß wrote:
> will you merge a PR?
>
I merge reviewed patches. If you send patches to the ML, they will be
reviewed and if they are accepted, I'll merge.
> I was also thinking about adding support for signign methods such as
> e.g. VAULT, to support that specific kind of KMS (hashicorps VAULT)...
> Ever thinked about something like that?
Yes, but at the moment there was no request.
Best regards,
Stefano Babic
>
> On Friday, 29 May 2026 at 11:58:12 UTC+2 Stefano Babic wrote:
>
> Hi Julian,
>
> On 5/29/26 08:54, Julian Weiß wrote:
> > Hi there,
> >
> > the custom signing implementation of the meta-swupdate-layer should
> > provide a way to also receive the sw_desc_sig and sw_desc
> parameters via
> > command line. Especiallay since the value of sw_desc includes a case
> > distinction.
> >
>
> I added this as feature request to the documentation, see
> https://github.com/sbabic/swupdate/blob/master/doc/source/
> improvement_proposals.rst#enhance-custom-signing <https://
> github.com/sbabic/swupdate/blob/master/doc/source/
> improvement_proposals.rst#enhance-custom-signing>
On 5/29/26 13:45, Julian Weiß wrote:
> will you merge a PR?
>
I merge reviewed patches. If you send patches to the ML, they will be
reviewed and if they are accepted, I'll merge.
> I was also thinking about adding support for signign methods such as
> e.g. VAULT, to support that specific kind of KMS (hashicorps VAULT)...
> Ever thinked about something like that?
Yes, but at the moment there was no request.
Best regards,
Stefano Babic
>
> On Friday, 29 May 2026 at 11:58:12 UTC+2 Stefano Babic wrote:
>
> Hi Julian,
>
> On 5/29/26 08:54, Julian Weiß wrote:
> > Hi there,
> >
> > the custom signing implementation of the meta-swupdate-layer should
> > provide a way to also receive the sw_desc_sig and sw_desc
> parameters via
> > command line. Especiallay since the value of sw_desc includes a case
> > distinction.
> >
>
> I added this as feature request to the documentation, see
> https://github.com/sbabic/swupdate/blob/master/doc/source/
> github.com/sbabic/swupdate/blob/master/doc/source/
> improvement_proposals.rst#enhance-custom-signing>
Ayoub Zaki
May 29, 2026, 11:15:41 AM (7 days ago) May 29
to Stefano Babic, Julian Weiß, swupdate
There is a possibility to abuse pkcs11 to do custom signing:
I didn't try it but was suggested to me by a Siemens guy who requested custom sign for my stm32p sign tool, so I think it could work.
Best regards
--
You received this message because you are subscribed to the Google Groups "swupdate" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/swupdate/62eff9f4-200e-4a83-bfb8-649991353a97%40swupdate.org.
Stefano Babic
May 29, 2026, 11:29:48 AM (7 days ago) May 29
to Ayoub Zaki, Julian Weiß, swupdate
Hi Ayoub,
On 5/29/26 17:15, Ayoub Zaki wrote:
> There is a possibility to abuse pkcs11 to do custom signing:
>
> https://github.com/siemens/pkcs11-to-cmd <https://github.com/siemens/
> pkcs11-to-cmd>
(maybe am I wrong ?) just a wrapper for pkcs11-tool, and well, by
preparing a build server, we can already provide all required tools.
In my understanding we have several use cases:
- Safe retrieving of keys for signing / encryption during the build,
that means use HSM or cloud services like Hashicorp Vault).
- customer's protected servers that own keys and are the only ones
allowed to sign. The build process has an API to sign / encrypt files.
The tool doesn't seem to help with these use cases that I know exist.
Best regards,
Stefano
> > github.com/sbabic/swupdate/blob/master/doc/source/ <http://
> bfb8-649991353a97%40swupdate.org>.
>
On 5/29/26 17:15, Ayoub Zaki wrote:
> There is a possibility to abuse pkcs11 to do custom signing:
>
> pkcs11-to-cmd>
>
> I didn't try it but was suggested to me by a Siemens guy who requested
> custom sign for my stm32p sign tool, so I think it could work.
>
Thanks, but it doesn't seem it adds a lot of value. It looks to me
> I didn't try it but was suggested to me by a Siemens guy who requested
> custom sign for my stm32p sign tool, so I think it could work.
>
(maybe am I wrong ?) just a wrapper for pkcs11-tool, and well, by
preparing a build server, we can already provide all required tools.
In my understanding we have several use cases:
- Safe retrieving of keys for signing / encryption during the build,
that means use HSM or cloud services like Hashicorp Vault).
- customer's protected servers that own keys and are the only ones
allowed to sign. The build process has an API to sign / encrypt files.
The tool doesn't seem to help with these use cases that I know exist.
Best regards,
Stefano
> github.com/sbabic/swupdate/blob/master/doc/source/>
> > improvement_proposals.rst#enhance-custom-signing>
> >
> > Best regards,
> > Stefano Babic
> >
> > --
> >
> _______________________________________________________________________
> > Nabla Software Engineering GmbH
> > Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
> > Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
> > E-Mail: sba...@nabladev.com <mailto:sba...@nabladev.com>
> > improvement_proposals.rst#enhance-custom-signing>
> >
> > Best regards,
> > Stefano Babic
> >
> > --
> >
> _______________________________________________________________________
> > Nabla Software Engineering GmbH
> > Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
> > Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to swupdate+u...@googlegroups.com
> <mailto:swupdate%2Bunsu...@googlegroups.com>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to swupdate+u...@googlegroups.com
> To view this discussion visit https://groups.google.com/d/msgid/
> swupdate/62eff9f4-200e-4a83-bfb8-649991353a97%40swupdate.org
> <https://groups.google.com/d/msgid/swupdate/62eff9f4-200e-4a83-
> swupdate/62eff9f4-200e-4a83-bfb8-649991353a97%40swupdate.org
> bfb8-649991353a97%40swupdate.org>.
>
Reply all
Reply to author
Forward
0 new messages